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Abstract — Two parties, Alice and Bob, wish to distill a 
binary secret key out of a list of correlated variables that 
they share after running a quantum key distribution pro- 
tocol based on continuous-spectrum quantum carriers. We 
present a novel construction that allows the legitimate par- 
ties to get equal bit strings out of correlated variables by 
using a classical channel, with as few leaked information as 
possible. This opens the way to securely correcting non- 
binary key elements. In particular, the construction is re- 
fined to the case of Gaussian variables as it applies directly 
to recent continuous- variable protocols for quantum key dis- 
tribution. 

Keywords — Cryptography, secret-key agreement, privacy 
amplification, quantum secret key distribution. 



I. Introduction 

With the advent of quantum key distribution (QKD), 
sometimes also called quantum cryptography, it is possible 
for two remote parties, Alice and Bob, to securely agree 
on secret information that shall later be used as a key for 
encrypting messages 0, j|, j|, ||. Although most QKD 
schemes make use of a discrete modulation of quantum 
states, such as BB84 [y, some recent protocols ||, || use 
a continuous modulation of quantum states, thus produc- 
ing continuous random variables. In particular, in |7J], a 
QKD scheme based on the Gaussian modulation of quan- 
tum coherent states is demonstrated, which generates cor- 
related Gaussian variables at Alice's and Bob's sides. The 
construction of a common secret key from discrete vari- 
ables partly known to an adversary has been a long studied 
problem ||, ||, [pLOfl , pif . However, in order to bring the 
intrinsically continuous QKD experiments up to getting a 
usable secret key, such key construction techniques needed 
to be adapted to Gaussian variables. 

In QKD, the quantum channel that Alice and Bob use 
to create a secret key is not deemed to be perfect. Noise 
will necessarily make Alice's and Bob's values different. 
Furthermore, the laws of quantum mechanics imply that 
eavesdropping also causes extra discrepancies, making the 
eavesdropper detectable. To overcome this, one can cor- 
rect errors by using some reconciliation protocol, carried 
out over a public authenticated channel M, pd|. Yet, this 
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does not entirely solve the problem as an eavesdropper can 
gain some information about the key while Alice and Bob 
exchange their public reconciliation messages. Fortunately, 
such gained information can then be wiped out, at the cost 
of a reduction in the secret key length, using another pro- 
tocol called privacy amplification J8|, pj] . 

Current reconciliation and privacy amplification proto- 
cols are aimed at correcting and distilling strings of bits. 
However, the recently developed continuous-variable QKD 
schemes cannot be complemented efficiently with such dis- 
crete protocols. This paper proposes an extention of these 
protocols in the case of non-binary - and in particular 
Gaussian - key elements. 

II. Quantum Distribution of a Gaussian Key 

In QKD, Alice and Bob use a quantum channel in order 
to share secret random data (a secret key) that can then be 
used for exchanging encrypted information. Since its incep- 
tion, QKD has traditionally been developed with discrete 
quantum carriers, especially quantum bits (implemented 
e.g., as the polarization state of single photons). Yet, it has 
been shown recently that the use of continuous quantum 
carriers is advantageous in some situations, namely because 
high secret key bit rates can be attained [pi. The post- 
processing of the raw data produced by such continuous- 
variable protocols therefore deserves further investigation. 

As we shall see, the security of QKD fundamentally re- 
lies on the fact that the measurement of incompatible vari- 
ables inevitably affects the state of a quantum system. In 
a scheme such as BB84, Alice sends random key elements 
(e.g., key bits) to Bob using either one of two conjugate sets 
of quantum information carriers. Alice randomly chooses 
one of the two sets of carriers, encodes a random key ele- 
ment using this set, and sends it to Bob. On his side, Bob 
measures the received quantum state assuming either set 
was used at random. The two sets of quantum informa- 
tion carriers are designed in such a way that measuring the 
wrong set yields random uncorrelated results (i.e., the two 
sets are conjugate). Therefore, Bob will measure correctly 
only half of the key elements Alice sent him, not know- 
ing which ones are wrong. After the process, Alice reveals 
which set of carriers she chose for each key element, and 
Bob is then able to discard all the wrong measurements, 
the remaining data making the key. 

An eavesdropper (Eve) can of course intercept the quan- 
tum carriers and try to measure them. However, like Bob, 
Eve does not know in advance which set of carriers Alice 
chose for each key element. A measurement will yield ir- 
relevant results about half of the time, and thereby disturb 



the state of the carrier. Not knowing if she has a correct 
value, Eve can decide to retransmit or not a quantum car- 
rier with the key element she obtained. Discarding a key 
element is useless for Eve since this sample will not be used 
by Alice and Bob to make the key. However, if she does 
retransmit the state (even though it is wrong half of the 
time), Alice and Bob will detect her presence by an un- 
usually high error rate between their key elements. QKD 
works because Bob has the advantage, over Eve, of being 
able to talk to Alice over a classical authenticated channel 
in order to select a common key and discard Eve's partial 
knowledge on it. 

The continuous- variable QKD protocols described in || , 
H take advantage of a pair of canonically conjugate con- 
tinuous variables such as the two quadratures X\ and X2 
of the amplitude of a mode of the electromagnetic field, 
which behave just like position x and momentum p pjfl . 
The uncertainty relation AX\ AA 2 > 1/4 then states that 
it is impossible to measure with full accuracy both quadra- 
tures of a single mode, X\ and X 2 - This can be exploited 
by associating the two sets of quantum information car- 
riers with X\ and X2, respectively. For example, in the 
protocol ||, these two sets of carriers essentially behave 
like 2D Gaussian distributions in the [Xx^X^] plane. In 
set 1, the carriers are shaped as N(x, o~i) x iV(0, l/4oV), 
with <7i < 1/4 corresponding to the squeezing of X\ J12J. 
Here, x is the key element Alice wishes to send, and is it- 
self distributed as a Gaussian: x ~ ^V(0, Si). In set 2, the 
carriers are similar but X\ and X 2 are interchanged, that 
is, A(0, l/4cr 2 ) x N(x, a 2 ), with a 2 < 1/4. The raw key in- 
formation is thus encoded sometimes in X\ and sometimes 
in X 2 , and the protocol resembles a continuous version of 
BB84. In contrast, in ||, two Gaussian raw key elements 
xi and X2 are simultaneously encoded in a coherent state 
shaped as N(x 1 ,l/2) x iV(x 2 ,l/2) in the {X 1 ,X 2 ) plane. 
Bob can however only measure one of them, not both, so 
that only one Gaussian value x — x\ or 2 is really trans- 
mitted. Eve, not knowing which one Bob will measure, 
necessarily disturbs x\ when attempting to infer x 2 and 
vice- versa, and she in general disturbs both to some extent 
whatever the trade-off between acquired knowledge and in- 
duced disturbance she chooses. 

In all these continuous- variable protocols, the vacuum 
noise fluctuations of the transmitted states are such that 
Bob's measurement will not give him the exact value x cho- 
sen by Alice, even in absence of eavesdropping and with a 
perfect measurement apparatus. The noise is Gaussian and 
additive, allowing us to model the transmission as a Gaus- 
sian channel. The amplitude of the noise can be estimated 
by Alice and Bob when they compare a subset of their ex- 
changed values. Any noise level beyond the intrinsic fluctu- 
ations must be attributed to Eve, giving an estimate on the 
amount of information I(X;E) that she was able to infer 
in the worst case pi, B, M. This information, along with 
the information Eve gains by monitoring the reconciliation 
protocol, must then be eliminated via privacy amplifica- 
tion. 

Finally, note that Alice must strictly respect x ~ 



iV(0,S lor2 ) or (Xi,x 2 ) ~ JV(&i,l/2) x A(x 2 ,l/2). She 
may not choose a codebook x(k) from some discrete al- 
phabet to R that displays the same variance. The result- 
ing distribution would not be Gaussian, and Eve would be 
able to take advantage of this situation. For example in H, 
measuring the correct or the wrong set must yield statisti- 
cally indistinguishable results. If not the case, Eve would 
be able to infer whether she measured the correct set of 
carriers and adapt her strategy to this knowledge. 

III. Problem Description 
A. Problem Statement 

The two parties each have access to a distinct random 
variable, namely X for Alice and X 1 for Bob, with non- 
zero mutual information I(X\ X') > 0. This models the 
quantum modulation and measurement of a QKD scheme, 
but other sources of common randomness could as well be 
used. When running the same QKD protocol several times, 
the instances of X (resp. X') are denoted X\...Xi (resp. 
X[ . . . X[) for the time slots 1 . . .1, and are assumed inde- 
pendent for different time slots. The outcomes are denoted 
with the corresponding lower-case letters. An eavesdrop- 
per Eve also has access to a random variable E, resulting 
from tapping the quantum channel. These are also consid- 
ered independent for different time slots, hence assuming 
individual attacks B. 

The goal of the legitimate parties is to distill a secret key, 
i.e., to end up with a shared binary string that is unknown 
to Eve. We assume as a convention that Alice's outcomes 
of X will determine the shared key K(X). It is of course 
not a problem if the roles are reversed, as required in . 
The function K(X) is chosen to be discrete, even if X is 
continuous in nature, and this aspect is discussed below. 

In principle, secret key distillation does not require sep- 
arate reconciliation and privacy amplification procedures, 
but it is much easier to use such a two-step approach. 

First, reconciliation consists in exchanging reconciliation 
messages over the public authenticated classical channel, 
collectively denoted C, so that Bob can recover K(Xi,,,i) 
from C and -Xi..j. By compressing K(X\„j), Alice and 
Bob can obtain about IH(K(X)) common random bits. 

Then, privacy amplification can be achieved by universal 
hashing | fi3[ , [ JLjJ . Starting from K{X\...i), the decrease 
in key length is roughly equal to II(K(X);E) + \C\, as 
shown in (llj, [14], |L5J, where \C\ is the number of bits 
exchanged and where I(K(X);E) is determined from the 
disturbance measured during the QKD procedure. Privacy 
amplification therefore does not need special adaptations 
in our case, as the existing protocols can readily be used. 

Maximizing the net secret key rate H(K(X)) — 
I(K(X);E) — J -1 |C| involves to take all possible eaves- 
dropping strategies into account during the optimization, 
which is very difficult in general. Instead, we notice that 
I{K{X);E) < I(X; E), the latter being independent of the 
reconciliation procedure. Hence, we wish to devise a pro- 
cedure that produces a large number of fully secret equal 
bits, hence to maximize H(K(X)) — £ _1 |C|. 



B. Discrete vs Continuous Variables 



IV. Sliced Error Correction 



It is shown in H, km, W that working with continuous 
quantum states as carriers of information naturally leads to 
expressing information in a continuous form. It is therefore 
natural to devise an all-continuous cryptographic process- 
ing. Nevertheless, we found more advantageous to distill a 
discrete secret key than a continuous one, and these aspects 
are now discussed. 

First, a continuous secret key would need to be used 
along with a continuous version of the one-time pad, which 
is possible |16| , but would most certainly suffer from incom- 
patibilities or inefficiencies with regard to current technolo- 
gies and applications. Furthermore, it is much more conve- 
nient to rely on the equality of Alice's and Bob's values in 
the discrete case, rather than dealing with bounded errors 
on real numbers. The resulting secret key is thus chosen to 
be discrete. 

Second, the reconciliation messages can either be contin- 
uous or discrete. Unless the public authenticated classical 
channel has infinite capacity, exchanged reconciliation mes- 
sages are either discrete or noisy continuous values. The 
latter case introduces additional uncertainties into the pro- 
tocol, which quite goes against our purposes. Furthermore, 
a noisy continuous reconciliation message would less effi- 
ciently benefit from the authentication feature of the recon- 
ciliation channel. Hence, discrete reconciliation messages 
are preferred. 

Third, the choice of a discrete final key also induces 
discrete effects in the protocols, which makes natural the 
choice of a continuous-to-discrete conversion during rec- 
onciliation. Call x the original Gaussian value that Al- 
ice sent, x' the Gaussian value as received by Bob, and k 
the resulting discrete key element. The process of recon- 
ciliation and privacy amplification can be summarized as 
functions k = /a(%, c) and k = /s(a/,c), where c indi- 
cate the exchanged messages. As both k and c are to be 
taken in some finite set, these two functions define each a 
finite family of subsets of values that give the same result: 
She = {x : fA(x,c) = k} and S' kc = {x 1 : f B {x',c) = k}. 
The identification of the subset in which x (or x') lies is the 
only data of interest - and can be expressed using discrete 
variables - whereas the value within that subset does not 
affect the result and can merely be considered as noise. 

Finally, the discrete conversion does not put a funda- 
mental limit on the resulting efficiency. It is possible (see 
Sec. Ifv]) to bring \C\ as close as desired to IH(K(X)\X'), 



giving almost I(K(X);X') secret bits per raw key element. 
Also, one can define K{X) as a fine-grained quantizer so 
that I(K(X);X') can be made arbitrarily close to I(X\ X') 
[ pj| . On the other hand, no continuous protocol can expect 
Alice and Bob to share more secret information than what 
they initially share I(X;X'). 

For all the reasons stated above, our reconciliation pro- 
tocol mainly consists of exchanging discrete information 
between the two communicating parties so that they can 
deduce the same discrete representation from the real val- 
ues they initially share. 



Sliced error correction (SEC) is a generic reconciliation 
protocol that corrects strings of non-binary elements. It 
gives, with high probability, two communicating parties, 
Alice and Bob, equal binary digits from a list of correlated 
values. Just like other error correction protocols, it makes 
use of a public authenticated channel. The underlying idea 
is to convert Alice's and Bob's values into strings of bits, 
apply a bitwise correction protocol (BCP) as a primitive 
and take advantage of all available information to minimize 
the number of exchanged reconciliation messages. 

The key feature of this generic protocol is that it enables 
Alice and Bob to correct errors that are not modeled using 
a binary symmetric channel (BSC), although using a BCP 
that is optimized for a BSC. 

To remain general, Alice and Bob can process multi- 
dimensional key values and group them into d-dimensional 
vectors. In the sequel, X and X' denote d-dimensional vari- 
ables, taking values in what is defined as the raw key space, 
i.e., R d for Gaussian variables. When explicitly needed by 
the discussion, the dimension of the variables is noted with 
a -W superscript. 

To define the protocol, we must first define the slice func- 
tions. A slice S(x) is a function from Alice's raw key space 
to GF{2). A vector of slices S\... m {x) = (Si(x), . . . , S m (x)) 
is chosen so as to map Alice's raw key elements to a dis- 
crete alphabet of size at most 2™. A vector of slices will 
convert Alice's raw key elements into binary digits, that is, 
K{X) = Si... m (x). 

Each of the slice estimators Si(x'), S2(x',Si(x)) 
. . . S m (x', Si(x), . . . , S m -i(x)) defines a mapping from 
Bob's raw key space and from Alice's slices of lower in- 
dexes to GF(2). These will be used by Bob to guess Si(X) 
the best he can given his knowledge of X' and of the slice 
bits previously corrected. 

The construction of the slices Si(X) and their estima- 
tors depends on the nature and distribution of the raw key 
elements. These aspects are covered in a following section, 
where we apply the SEC to our Gaussian key elements. 

Let us now describe our generic protocol, which assume 
that Alice and Bob defined and agreed on the functions S{ 
and Si- 

• From her I key elements x\...Xi, Alice prepares m 
strings of bits using the defined slices (Si(xi), . . . , S\(xi)), 
. . . , (S m (xi), . . . , S m (xi)). She starts with the first one: 
(S 1 {x 1 ),...,S 1 (xi)). 

• Bob constructs a string of bits from x\. . . x\ using his 
slice estimator S\. (Si(x'i), . . . , Si(x[)). 

• Alice and Bob make use of a chosen BCP so that Bob 
aligns his bit string on Alice's. 

• For each subsequent slice i, 2 < i < m, Alice takes 
her string (Si(x±), . . . , Si(xi)), while Bob constructs a new 
string using his slice estimator Si applied to his values 
x'i . . . x\ and taking into account the correct bit values of 
the previous slices S\{x\), . . . ,Si(x\), ■ ■ ■ , Si-i(x;). Again, 
Bob aligns his bit string to Alice's using the chosen BCP. 

• For Alice, the resulting bitstring is simply the concate- 
nation of the m /-bit strings: Si... m (xi..j). For Bob, the 



shared bitstring is the same as Alice's, obtained from the 
previous steps. 

The goal of SEC is to correct errors by disclosing as 
few information as possible on the key shared by Alice and 
Bob. However, one does not expect a protocol running with 
strings of finite length and using finite computing resources 
to achieve the Shannon bound I(X;X') exactly. Yet, it is 
easy to show that SEC is indeed asymptotically efficient, 
that is, it reaches the Shannon bound in terms of leaked 
information when the number of dimensions d (i.e., the 
input alphabet size) goes to infinity. 

A famous theorem by Slepian and Wolf |U| shows the 
achievability rate regions for encoding correlated sources. 
In the context of SEC, this means that, with d sufficiently 
large, there exist slice functions such that disclosing the 
first r = [dH(K(X^)\X' {l) ) + lj slices Si... r (XW) is 
enough for Bob to recover the m — r remaining ones and 
reconstruct Si... m (X^ d ') with arbitrarily low probability of 
error. An alternate proof is proposed in Appendix |A|. 

It is necessary here to quantize X', as Slepian and Wolf's 
theorem assumes discrete variables. As shown in §LT\i , X' 
can be approximated as accurately as necessary by a dis- 
crete variable X', with H(K(X)\X') -> H(K{X)\X'). 

V. Analysis of Sliced Error Correction 

Let us now analyze the amount of information leaked on 
the public channel during SEC. Clearly, this will depend 
on the primitive BCP chosen. This aspect will be detailed 
in a following section. 

If not using SEC, one can in theory use encoding of cor- 
related information |18| to achieve, when I — ► oo, 



r 1 \c\=i ^H(s l ... m (x)\x'). 



(1) 



When using slices, however, the BCP blindly processes the 
bits calculated by Alice Si(X) on one side and the bits 
calculated by Bob §i(X', Si...;_i(Jf)) on the other. The I 
bits produced by the slices are of course independent from 
time slot to time slot. Assuming a perfect BCP, 

m 

r 1 |q=i s = ^(s,(i)|s,(i',s 1 ...,_ 1 (i)))>i„. (2) 



is approximately proportional to h(e), i.e., (1 + £)/i(e) for 
some overhead constant £. An explicit construction of slice 
estimators applying the expression of I e in Eq. (Q) is ex- 
amined next. 

A. Maximum Likelihood Slice Estimators 

The error probability in slice i can then be expressed as 
the probability that Bob's slice estimator yields a result 
different from Alice's slice: 



e i = P S l i § i +P s° i S i ' wit ' h 
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{{x, x') : Sj(x) = #,- A • • • A Si(x) = Pi 
A S i (x',Si.. A - 1 (x)) = b}. 



(4) 
(5) 



(6) 



Maximizing the global efficiency of the slice estimators is 
not a simple task because the efficiency of a slice estimator 
Si recursively depends on all previous estimators Sj<i. For 
this reason, our goal here is simply to minimize each a, of 
which h(ei) is an increasing function for < e, < i ; by 
acting only on Si. This results in an explicit expression for 
Si(x', Si(a:), . . . , #_i(aO), see Eq. ©. 
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sum of smaller probabilities over all possible values /3j<i 
the previous slices, namely 
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Each of these terms can be further expanded as 
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The inequality follows from the fact that H(S\... m (X)\X') = 
52 i H(S i (X)\X',Si„.i-i(X)) and that the term in the sum 
cannot decrease if replaced by H(Si (X) \Si (X', Si...i-i(X))). 
The primitive BCP can be optimized to work on a binary 
symmetric channel (BSC-BCP), thus blindly assuming that 
the bits produced by the slices and the slice estimators are 
balanced. Assuming a perfect BSC-BCP, 



r 1 \c\ = i B ±Y i h(e i )>i a , 



(3) 



i=l 



withh(e) = -eloge-(l-e)log(l-e)aadej = Pr[S l {X) ^ 
Si(X', Si...i-i(X))]. The inequality follows from Fano's in- 
equality |l7J] applied to a binary alphabet. In practice, a 
BSC-BCP is expected to disclose a number of bits that 



From this, it is easy to show that a slice estimator Si 
minimizes e,- if it has the form 



Si(x',P 



1..A-1) — 



iiP^l(x')>pt;;i(x'), 

1 otherwise, 



(12) 
except for cases where the probabilities are equal or over 
some zero-measure set. To minimize e^ = P° X g + -Pi°s , 
one can thus take advantage of the independence of smaller 
terms in (R) and minimize them individually. From Eq. (pf) , 
the terms Pf; 1 '"" ^ , for a correct guess, and Pf; 1 '"" ^ , for 
a wrong guess, result from the integration of the same 
function over two different sets, namely B„ 1 "J^ 1 % and 

Ol...Di_lOi 

BJ'"*~ 1 '% . Therefore, the domain of correct guesses 
should simply cover all subsets in which the integrand is 



larger, and leave the smaller parts to the domain of wrong 
guesses. Eq. ( |l2|) is simply the maximum likelihood prin- 
ciple, expressed for slice estimators. 

Note that when using Eq. (|12|), the bit error rate ej can 
be evaluated as 



{p^l(x'),PtW))dx'. (13) 



B. Bitwise Correction Protocols 

To be able to use sliced error correction, it is necessary to 
chose a suitable BCP. There are first two trivial protocols 
that are worth noting. The first one consists in disclosing 
the slice entirely, while the second does not disclose any- 
thing. These are at least of theoretical interest with the 
asymptotical optimality of SEC: It is sufficient for Alice 
to transmit entirely the first r = \dH(K(X^)\X' (l) ) + lj 
slices and not transmit the remaining m — r ones. 

A BCP can consist in sending syndromes of error- 
correcting codes, see e.g., frL9|| . In binary QKD proto- 
cols, however, an interactive reconciliation protocol is often 
used, such as Cascade g, @, [|H|, g| or Winnow g§. 
In practice, interactivity offers overwhelmingly small prob- 
ability of errors at the end of the protocol, which is valuable 
for producing a usable secret key. 

Let us briefly analyze the cost of Cascade, which con- 
sists in exchanging parities of various subsets of bits 0. 
Let A, B e GF(2) 1 be respectively Alice's and Bob's bi- 
nary string of size I constructed from some slice Si and its 
estimator Si. After running Cascade, Alice (resp. Bob) 
disclosed RA (resp. RB) for some matrix R of size n x I. 
They thus communicated the parities calculated over iden- 
tical subsets of bit positions. The matrix R and the number 
n of disclosed parities are not known beforehand but are the 
result of the interactive protocol and of the number and po- 
sitions of the diverging parities encountered. The expected 
value of n is n w 1(1 + £)/i(e), where e = Pr[/4j ^ BA is 
the bit error rate, and £ is some small overhead factor. 

If A and B are balanced and are connected by a BSC, 
the parities RA give Eve n bits of information on A, but 
RB does not give any extra information since it is merely 
a noisy version of RA. Stated otherwise, A — » RA — » RB 
is a Markov chain, hence only n m 1(1 + £,)h(e) bits are 
disclosed, which is not far away from the ideal lh(e). 

However, in the more general case where Eve gathered in 
E some information on A and B by tapping the quantum 
channel, A\E ^ RA\E — > RB\E does not necessarily form 
a Markov chain. Instead, it must be upper bounded by the 
number of bits disclosed by both parties as if they were 
independent, \C\ = 2n sw 21(1 + £)h(e). 

Such a penalty is an effect of interactivity, as both Alice 
and Bob disclose some information. This can however be 
reduced by noticing that RA and RB can also be equiva- 
lently expressed by RA and R(A + B). The first term RA 
gives information directly on Alice's bits A = Sj(Xl.j) for 
some slice number i, which are used as a part of the key. 
The second term R(A + B) however contains mostly noise 
and does not contribute much to Eve's knowledge. This 



must however be explicitly evaluated with all the details of 
the QKD protocol in hands 0. 

With SEC, it is not required to use the same protocol 
for all slices. Non-interactive and interactive BCPs can be 
combined. In the particular case of slices with large e*, 
disclosing the entire slice may cost less than interactively 
correcting it. Overall, the number of bits revealed is: 



\c\ 



Z^ 



\Ci\, with \d\ = min(Z, /j(/,e,)) , 



(14) 



and fi(l,ei) the expected number of bits disclosed by the 
BCP assigned to slice i working on I bits with a bit error 
rate equal to ej. 

As d grows and it becomes sufficient to only disclose 
the first r slices so as to leave an acceptable residual er- 
ror, using a practical BCP comes closer to the bound 
l- l \C\ > H(K(X)\X'). This follows from the obvious fact 
that I -1 531=1 |C»I ^ r J while the last slices can be ignored 
fi = 0,i>r. 

VI. Correction of Gaussian Key Elements 

We must now deal with the reconciliation of information 
from Gaussian variables X ~ N(Q, S) and X' = X + e, 
e ~ N(0,a). Let us first show that this problem is dif- 
ferent from known transmission schemes, namely quanti- 
zation and coded modulation. We temporarily leave out 
the slice estimation problem and assume that Bob wants 
to have most information (in Shannon's sense) about a dis- 
crete value T(X), computed by Alice, given its noisy value 
X'. 

In a vector quantization (VQ) system, a random input 
vector X is transmitted over a noiseless discrete channel us- 
ing the index of the closest code- vector in a given codebook. 
The codebook design issue has been extensively studied in 
the VQ literature |24j]. The criterion to optimize in that 
case is the average distortion between X and the set of re- 
production vectors. In our problem, we do not have repro- 
duction vectors since we are not interested in reproducing 
the continuous code but rather extracting common infor- 
mation. 

In a coded modulation system, a binary key k is sent over 
a continuous noisy channel using a vector X belonging to a 
codebook in a Euclidean space. Trellis-coded modulation 
and lattice-based coded modulation are instances of this 
scheme. In this case, the information sent on the channel 
is chosen by Alice in a codebook, which is not true in our 
case. 

A. Design 

In this section, we present how we designed slices and 
slice estimators for specifically correcting Gaussian raw 
keys. We now assume d = 1, that is, Alice and Bob use 
Gaussian key elements individually. The idea is to divide 
the set of real numbers into intervals and to assign slice val- 
ues to each of these intervals. The slice estimators are then 
derived as most likelihood estimators as explained above. 

For simplicity, the design of the slices was divided into 
two smaller independent problems. First, we cut the set of 



real numbers (Alice's raw key space) into a chosen number 
of intervals - call this process T{X ). For the chosen number 
of intervals, we try to maximize I(T(X); X'). Second, we 
assign to binary values to these intervals in such a way that 
slices can be corrected with as few leaked information as 
possible. 

If the reconciliation is optimal, it produces H(T(X)) 
common bits and discloses Iq bits, thus from Eq. (|lj) giv- 
ing a net result of H(T(X)) - H(T(X)\X') = I(T(X); X') 
bits. Note that Si... m (X) will be an invertible function of 
T(X). However, optimizing I(T{X)\X') does not depend 
on the bit assignment, so this is not yet relevant. 

The process T(X) of dividing the real numbers into 
t intervals is defined by t — 1 variables t± . . .T t -\. The 
interval a with 1 < a < t is then defined by the set 
{x : r a _i < x < r a } where To = — oo and T t = +00. 
The function I(T(X); X') was numerically maximized un- 
der the symmetry constrains r a = r t _ a to reduce the num- 
ber of variables to process. 

The results are displayed in Fig. [I] below. I(T{X);X') 
is bounded from above by \ogt and goes to \ log(l + SNR) 
as t — > 00. 

Let us detail the expressions we evaluated. The random 
variable X is Gaussian with variance S 2 . X' is the result 
of adding a random noise e of variance a 2 to X. Hence, 
the random variables X and X' follow the joint density 
function 



fx,x'(x,x r ) = 



1 



27rScr 



_ e -x 2 /212 2 e -(x-x') 2 /2a 2 



Since I(T{X);X') = H(T{X)) + H(X') - H(T(X),X'), 
we need to evaluate the following terms. 

H(T(X))=-J2 p « l °S p a, with 

H(X') = - log 27re(S 2 + a 2 ), and 

/+00 
dx'f a (x')logf a (x'), with 
-00 

fa(x')= / dxf x .x'{x,x'). 



From the above procedure, we get intervals that are 
bounded by the thresholds r Q . The next step is to con- 
struct to slices that return binary values for each of these 
intervals. Let us restrict ourselves to the case where t is 
a power of two, namely t = 2 m . We investigated several 
assignment methods, and it turned out that the best bit as- 
signment method consists of assigning the least significant 
bit of the binary representation of a— 1 (0 < a— 1 < 2 m — 1) 
to the first slice Si(x) when r a _i < x < r a . Then, each 
bit of a — 1 is subsequently assigned up to the most signif- 
icant bit, which is assigned to the last slice S m (x). More 
explicitly, 



Si{x) 



if T 2 i n < X < T 2 i n+2 i 

1 otherwise. 



(15) 



This ensures that the first slices containing noisy values 
help Bob narrow down his guess as quickly as possible. 

B. Numerical Results 

Let us now give some numerical examples in the case of a 
BCP optimized for a BSC, as this is the most frequent case 
in practice. To make the discussion independent of the cho- 
sen BCP, we evaluated H{S\... m {X)) and I e = ^ h(ei) for 
several (to, T,/a) pairs, thus assuming a perfect BSC-BCP. 
(Note that, in practice, one can make use of the properties 
of the practical BCP chosen so as to optimize the practical 
net secret key rate J7|.) 

Assume that the Gaussian channel has a signal-to-noise 
ratio of 3. According to Shannon's formula, a maximum of 
1 bit can thus be transmitted over such a channel. Various 
values of to are plotted in Fig. |^. First, consider the case 
to = 1, that is only one bit is extracted and corrected per 
Gaussian value. From our construction in Eq. (jig), the 
slice reduces to the sign of x: S\(x) = 1 when x > and 
S\{x) — otherwise. Accordingly, Bob's most likelihood 
estimator ( [12] ) is equivalent to Alice's slice, Si(x') — Si(x'). 
In this case, the probability that Alice's and Bob's values 
differ in sign is e\ « 0.167 and hence I e = h(e\) « 0.65 
bits. The net amount of information is thus approximately 
1 — 0.65 = 0.35 bit per raw key element. 

Let us now investigate the case of m = 4 slices, still with 
a signal-to-noise ratio of 3. The division of the raw key 
space into intervals that maximizes I(T(X); X') is given 
in Fig. S. Note that the generated intervals blend evenly 
distributed intervals and equal- width intervals. Evenly dis- 
tributed intervals maximize entropy, whereas equal-width 
intervals best deal with additive Gaussian noise. 

Alice's slices follow Eq. (Eq), and Bob's slice estimators 
are defined as usual using Eq. (|l2|). The correction of the 
first two slices (i.e., the least two significant bits of the 
interval number) have an error rate that make them almost 
uncorrelated, namely e\ w 0.496 and e 2 w 0.468. Then 
comes e3 « 0.25 and e^ « 0.02. Note that slice 4 gives the 
sign of x, just like the only slice when to = 1 above. The 
error rate is different here because correcting slice 4 in this 
case benefits from the correction of the first three slices. 
Indeed, for to = 4, the net amount of information is about 
3.78 — 2.95 = 0.83 bit per raw key element. 

We also investigated other signal-to-noise ratios. When 
Y? ja 2 — 15, Alice and Bob can share up to 2 bits per 
raw key element. With to = 5, this gives a net amount of 
information of about 1.81 bits per raw key element. 

As one can notice, the first few error rates (e.g., ei and 
e 2 ) are high and then the next ones fall dramatically. The 
first slices are used to narrow down the search among the 
most likely possibilities Bob can infer, and then the last 
slices compose the shared secret information. Also, slices 
with high error rates play the role of sketching a hypo- 
thetical codebook to which Alice's value belongs. After 
revealing the first few slices, Bob knows that her value lies 
in a certain number of narrow intervals with wide spaces 
between them. If Alice had the possibility of choosing a 
codebook, she would pick up a value from a discrete list of 
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Fig. 1 
Optimized I(T(X); X') as a function of log* for various 
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H(Sl... m (X)), Ie AND THEIR DIFFERENCE AS A FUNCTION OF THE 
NUMBER OF SLICES m WHEN E 2 /<7 2 = 3 



values - a situation similar to the one just mentioned ex- 
cept for the interval width. Using more slices m > 4 would 
simply make these codebook-like intervals narrower. 

In figure 0, we show these error rates for m = 4 when the 
noise level varies. From the role of sketching a codebook, 
slices gradually gain the role of really extracting informa- 
tion as their error rates decrease with the noise level. 

VII. Conclusions 

Current reconciliation procedures are aimed at correct- 
ing strings of bits. A new construction for reconciliation 
was proposed, which can be implemented for extracting 
common information out of any shared variables, either 
discrete or continuous. This construction is then applied 
to the special case of Gaussian key elements, in order to 
complement Gaussian-modulated quantum key distribu- 
tion schemes [pi, H, M. This might also be applied to 
other quantum key distribution schemes [£5| , [^6| , |^7j , Q 
that deal with continuous variables as well. We showed the- 
oretical results on the optimality of our construction when 
applied to asymptotically large bloc sizes. Practical results 
about reconciliation of Gaussian key elements show that 
such a construction does not leak much more information 
than the theoretical bound. 
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Appendix 
I. Proof of Asymptotic Optimality 

Lemma 1: Let Z = {Z\ . . . Zm) a list of N random bit 
strings of arbitrary length, independently and uniformly 
distributed. The probability that a given string from the 
list, say Zj, can be uniquely identified in Z by specifying 
only the first r bits is (1 — 2~ r ) N ~ 1 . 

Proof: The probability of Zj being uniquely identi- 
fiable from its first r bits is the probability that no string 
among the N — 1 other ones in the list starts with the same 
pattern. Hence, this probability is (1 — 2~ r ) N ~ l . ■ 

Lemma 2: |l7j Let X and X' be discrete random vari- 
ables distributed as p(x,x') and A e (X,X') be the set 
of jointly typical sequences (X^ d \X ') of length d. Let 
x ' be some fixed sequence in the set A e (X') of typ- 
ical sequences in the marginal distribution of X' . Define 



A {d) {X\x' 



(d)s 



{x 



(<0 



/(^h 



i(«0/ 



{x^ d \x lW ) € AT'{X,X')}. Then, 



\A {d \x\x' {d) )\ < 2 d W xil) \ x ' {1) )+^). 

Lemma 3: Suppose that Alice sends a discrete random 
sequence X^ of length d and Bob receives a correlated 
sequence X , which are jointly typical (x^ d \x ) € 
A {d) {X,X'). Let m = \dH(X ( ^) + e~\. Let the m 
slices Si... m (X^) be chosen randomly using a uniform 
distribution independently for all input values. Let r = 
\dH{X^\X l{1) ) + 2e-\oge+l\. ThcnVe > 3D such that 
Vd> D, Bob can recover X& given X' {d) and Si... r (X^) 
with a probability of identification failure Pi < e. 

Proof: Alice and Bob agree on a random Si... m (X^). 
Assume that they draw sequences a;'"*) and x that fulfill 



the typicality conditions above. For the value received, 
Bob prepares a list of guesses: {x^ e A t (X\x ')}. 
From Lemma @, this list contains no more than N < 
2 dH ( x \ x ) +2e elements. Alice reveals r slice values, 
with r > dH(X ( ^\X' {1) ) + 2e- loge+ 1. From Lemma 0, 
the probability that Bob is unable to correctly iden- 
tify the correct string is bounded as P; < 1 — (1 — 

2 _^(X«|X'W)-2e + loge-l )2 «(- (1) l-' (1) )+--l_ Thig quan _ 

tity goes to 1 — e~ e / 2 when d — > oo, and 1 — e~ c / 2 < e/2 for 
e > 0. Therefore, 3D such that P t < e for all d> D. ■ 
Lemma 4-' Sliced error correction on the discrete vari- 
ables X and X', together with an all-or-nothing BCP, leaks 
an amount of information that is asymptotically close to 
H(X\X') per raw key element as d — > oo, with a probabil- 
ity of failure that can be made as small as desired. 

Proof: Using random coding arguments, lemma 
states that for each d sufficiently large, there exists slices 
S\' m of which the first ones are to be entirely disclosed, 
giving \C\ < l { - d \dH(X^\X' {l) ) + 2c-\ogc + 2. The num- 
ber l^ of key elements of dimension d is l^ — l^'/d 
with ZW the number of raw key elements. Hence \C\ < 
l^(H(X^\X' (1) ) + d- 1 (2e - loge + 2)). Regarding the 
probability of failure, there are two sources of possible 
failure: the failure of identification Pi and the fact that 
(x (d \x' (d) ) <£ Ai d) (X,X'). From Lemma | and from the 
AEP, both probabilities are upper bounded by e. There- 
fore, the total failure probability behaves as 0(e) when 
e^0. ■ 

Theorem 1: Sliced error correction on the random vari- 
ables X and X', together with an all-or-nothing BCP, can 
make H{K(X)) - r x |C| as close as desired to I{X; X'). 

Proof: If X is discrete, let K(X) — X, otherwise 
set K(X) = X, with X a quantized approximation of X. 
Similarly, let X' = X' when X' is discrete or approximate 
it with a discrete variable X' otherwise. For any e > 0, 
there exits X, X' such that I(X; X') > I(X; X') 



|17| 



By applying Lemma H on X and X' , we have \C\ < 
l(H(X\X') + e') for any e' > 0. Therefore, 



H(K(X)) ~ r x \C\ > H(X) ~ H{X\X') - e' 

>I(X;X')-e' 
>I(X;X')-e'-e. 



(16) 



Corollary 1: If we use a practical BCP instead of dis- 
closing the slice bits whenever this would leak less than I 
bits, the conclusion of Th. n] still applies. 

Proof: Assume that we can predict how many bits 
the practical BCP discloses, for instance given an estimate 
of the bit error rate. Disclosing a slice entirely, as done 
in Lemma y, reveals I bits. Whenever the practical BCP 
is expected to disclose less than I bits (e.g., when the bit 
error rate is low), we can use it instead of disclosing the 
entire key without increasing \C\. ■ 
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Error rates ei,2,3,4 as a function of the channel capacity 
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